SECURITY: off-by-one in smtp transport (read response)

[exim.git] / src / src / string.c

diff --git a/src/src/string.c b/src/src/string.c
index 7af87f92c2ce5fffff843d85e4f2c84d93e7d228..cb913242092e28e3e267a871b69e388eb77d0c3e 100644 (file)
--- a/src/src/string.c
+++ b/src/src/string.c
@@ -575,7 +575,7 @@ uschar *
 string_copy_dnsdomain(uschar *s)
 {
 uschar *yield;
-uschar *ss = yield = store_get(Ustrlen(s) + 1, is_tainted(s));
+uschar *ss = yield = store_get(Ustrlen(s) + 1, TRUE);  /* always treat as tainted */
 
 while (*s != 0)
   {
@@ -952,12 +952,15 @@ else
     s = ss;
     if (!*s || *++s != sep || sep_is_special) break;
     }
+
+  /* Trim trailing spaces from the returned string */
+
   /* while (g->ptr > 0 && isspace(g->s[g->ptr-1])) g->ptr--; */
   while (  g->ptr > 0 && isspace(g->s[g->ptr-1])
        && (g->ptr == 1 || g->s[g->ptr-2] != '\\') )
     g->ptr--;
   buffer = string_from_gstring(g);
-  gstring_release_unused(g);
+  gstring_release_unused_trc(g, CCS func, line);
   }
 
 /* Update the current pointer and return the new string */
@@ -1143,7 +1146,7 @@ BOOL srctaint = is_tainted(s);
 if (!g)
   {
   unsigned inc = count < 4096 ? 127 : 1023;
-  unsigned size = ((count + inc) &  ~inc) + 1;
+  unsigned size = ((count + inc) &  ~inc) + 1; /* round up requested count */
   g = string_get_tainted(size, srctaint);
   }
 else if (srctaint && !is_tainted(g->s))